Yes, but the user's login and privilege info must be local then, which kind of defeats the purpose of tacacs in the first place. Off the top of my head the syntax would be something like:
aaa authentication login VTY group tacacs local
aaa authorization exec VTY group tacacs local
!
line VTY 0 4
login authentication VTY
authorization exec VTY
This basically says that if the user tries to login and tacacs is down, get the password and privilege number locally.
Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com
Internetwork Expert, Inc.
http://www.INE.com
On Sep 20, 2012, at 11:33 PM, "ccie99999" <ccie99999_at_gmail.com> wrote:
> thanks Marc,
>
> it's clear now.
>
> expected question now: is there a way to authorize local users (if
> tacacs/radius fail) with their own privilege level?
>
> I suppose not right ?
>
>
> On Fri, Sep 21, 2012 at 4:16 AM, marc abel <marcabel_at_gmail.com> wrote:
>
>> the command "if-authenticated" isn't telling it to check the user to see
>> what level it is authorized, it is simply saying if they are authenticated,
>> then they are authorized. It is giving the authorization level 1 by
>> default. You can change this by using
>>
>> aaa authorization commands 7 default if-authenticated
>>
>> but now all users that are authenticated are authorized as level 7, it
>> isn't going to check the local user. In your example it would check the
>> tacacs server first and assign what ever is assigned there, but once the
>> tacacs server can't be reached and the fall back "if-authenticated" kicks
>> in, all users are getting the same authorization.
>>
>>
>> -Marc
>>
>> On Thu, Sep 20, 2012 at 10:56 PM, ccie99999 <ccie99999_at_gmail.com> wrote:a
>>
>>> hi guys,
>>>
>>> I'm working on AAA and it's not the first time I get stuck here.
>>>
>>> if I have a local user with privilege level 7 like this one:
>>>
>>> username cisco privilege 7 pass cisco
>>>
>>> why if I do authorize him with if-authenticated I only got privilege 1??
>>>
>>> aaa authentication login VTY group tacacs+ local
>>> aaa authorization exec VTY group tacacs+ if-authenticated
>>>
>>>
>>> line vty 0 4
>>> password line
>>> authorization exec VTY
>>> login authentication VTY
>>> transport input telnet
>>>
>>> telnet to R1:
>>>
>>> USER: admin
>>> PASSWORD:
>>> Rack1R1>
>>> Rack1R1>show priv
>>> Current privilege level is 1
>>>
>>> checking the aaa conf guide I find this:
>>>
>>> To allow users to have access to the functions they request as long as
>>> they
>>> have been authenticated, use the aaa authorization command with the
>>> if-authenticated method keyword. If this method is selected, all requested
>>> functions are automatically granted to authenticated users.
>>>
>>> then I don't understand..
>>>
>>> btw if I change the conf to local instead of if-authenticated I got
>>> privilege 7 as expected.
>>>
>>> thanks
>>>
>>>
>>> --
>>> @ccie99999
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Marc Abel
>> CCIE #35470
>> (Routing and Switching)
>>
>>
>
>
> --
> @ccie99999
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 21 2012 - 00:38:39 ART
This archive was generated by hypermail 2.2.0 : Mon Oct 01 2012 - 06:40:29 ART